mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-25 23:36:16 +02:00
Fix it!
This commit is contained in:
parent
c036de086e
commit
6e1e15ffec
8 changed files with 48 additions and 29 deletions
|
@ -290,14 +290,19 @@ connected:
|
|||
auto drv = store->readDerivation(*drvPath);
|
||||
|
||||
std::optional<BuildResult> optResult;
|
||||
if (sshStore->isTrustedClient() || drv.type().isCA()) {
|
||||
// Hijack the inputs paths of the derivation to include all the paths
|
||||
// that come from the `inputDrvs` set.
|
||||
// We don’t do that for the derivations whose `inputDrvs` is empty
|
||||
// because
|
||||
// If we don't know whether we are trusted (e.g. `ssh://`
|
||||
// stores), we assume we are. This is neccessary for backwards
|
||||
// compat.
|
||||
if (std::optional trust = sshStore->isTrustedClient(); (!trust || *trust) || drv.type().isCA()) {
|
||||
// Hijack the inputs paths of the derivation to include all
|
||||
// the paths that come from the `inputDrvs` set. We don’t do
|
||||
// that for the derivations whose `inputDrvs` is empty
|
||||
// because:
|
||||
//
|
||||
// 1. It’s not needed
|
||||
// 2. Changing the `inputSrcs` set changes the associated output ids,
|
||||
// which break CA derivations
|
||||
//
|
||||
// 2. Changing the `inputSrcs` set changes the associated
|
||||
// output ids, which break CA derivations
|
||||
if (!drv.inputDrvs.empty())
|
||||
drv.inputSrcs = store->parseStorePathSet(inputs);
|
||||
optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv);
|
||||
|
|
2
tests/build-remote-trustless-after.sh
Normal file
2
tests/build-remote-trustless-after.sh
Normal file
|
@ -0,0 +1,2 @@
|
|||
outPath=$(readlink -f $TEST_ROOT/result)
|
||||
grep 'FOO BAR BAZ' ${remoteDir}/${outPath}
|
|
@ -1,11 +1,25 @@
|
|||
source common.sh
|
||||
|
||||
# We act as if remote trusts us, but it doesn't. This fails since we are
|
||||
# building input-addressed derivations with `buildDerivation`, which
|
||||
# depends on trust.
|
||||
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||
|
||||
unset NIX_STORE_DIR
|
||||
unset NIX_STATE_DIR
|
||||
|
||||
# We first build a dependency of the derivation we eventually want to
|
||||
# build.
|
||||
nix-build build-hook.nix -A passthru.input2 \
|
||||
-o "$TEST_ROOT/input2" \
|
||||
--arg busybox "$busybox" \
|
||||
--store "$TEST_ROOT/local" \
|
||||
--option system-features bar
|
||||
|
||||
# Now when we go to build that downstream derivation, Nix will try to
|
||||
# copy our already-build `input2` to the remote store. That store object
|
||||
# is input-addressed, so this will fail.
|
||||
|
||||
file=build-hook.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=true
|
||||
|
||||
! source build-remote-trustless.sh
|
||||
expectStderr 1 source build-remote-trustless.sh \
|
||||
| grepQuiet "cannot add path '[^ ]*' because it lacks a signature by a trusted key"
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote trusts us but we pretend it doesn't.
|
||||
# Remote trusts us
|
||||
file=build-hook.nix
|
||||
prog=nix-store
|
||||
proto=ssh
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
||||
source build-remote-trustless-after.sh
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote trusts us but we pretend it doesn't.
|
||||
# Remote trusts us
|
||||
file=build-hook.nix
|
||||
prog=nix-daemon
|
||||
proto=ssh-ng
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
||||
source build-remote-trustless-after.sh
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
source common.sh
|
||||
|
||||
# Remote doesn't trust us nor do we think it does
|
||||
# Remote doesn't trust us
|
||||
file=build-hook.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=false
|
||||
|
||||
source build-remote-trustless.sh
|
||||
source build-remote-trustless-after.sh
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
source common.sh
|
||||
|
||||
# We act as if remote trusts us, but it doesn't. This is fine because we
|
||||
# are only building (fixed) CA derivations.
|
||||
# Remote doesn't trusts us, but this is fine because we are only
|
||||
# building (fixed) CA derivations.
|
||||
file=build-hook-ca-fixed.nix
|
||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||
proto=ssh-ng
|
||||
trusting=true
|
||||
|
||||
source build-remote-trustless.sh
|
||||
source build-remote-trustless-after.sh
|
||||
|
|
|
@ -1,16 +1,14 @@
|
|||
if ! canUseSandbox; then exit; fi
|
||||
if ! [[ $busybox =~ busybox ]]; then exit; fi
|
||||
requireSandboxSupport
|
||||
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||
|
||||
unset NIX_STORE_DIR
|
||||
unset NIX_STATE_DIR
|
||||
|
||||
remoteDir=$TEST_ROOT/remote
|
||||
|
||||
# Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for
|
||||
# more details.
|
||||
nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
|
||||
nix-build $file -o $TEST_ROOT/result --max-jobs 0 \
|
||||
--arg busybox $busybox \
|
||||
--store $TEST_ROOT/local \
|
||||
--builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|
||||
|
||||
outPath=$(readlink -f $TEST_ROOT/result)
|
||||
|
||||
grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}
|
||||
--builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|
||||
|
|
Loading…
Reference in a new issue